REGEX in blacklist doesn't work as intended

osakachan · ‎07-13-2021

Hello folks,

I encountered a problem when trying to filter events from WinEventLog and EventCode 4662. When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.

blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))"

I tried some changes to the regex but I do not find a solution for this. Thanks for your time.

venkatasri · ‎07-13-2021

@osakachan Can you check are you following allowed regex its little different from PCRE- inputs.conf - Splunk Documentation

codebuilder · ‎07-13-2021

Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!

REGEX in blacklist doesn't work as intended

administration

configuration

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >

REGEX in blacklist doesn't work as intended

administration

configuration

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20. Learn More or Register Now >

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Learn More or Register Now >